CVE-2026-7713

A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generateauthtoken of the file cps/koboauth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed fr...

When Bots Take the Bait: Exposing and Mitigating the Emerging Social Engineering Attack in Web Automation Agent

Web agents, powered by large language models LLMs, are increasingly deployed to automate complex web interactions. The rise of open-source frameworks e.g., Browser Use, Skyvern-AI has accelerated adoption, but also broadened the attack surface. While prior research has focused on model threats su...

XPath Injection

smolagents is vulnerable to XPath injection. The vulnerability is due to insecure XPath construction due to searchitemctrlf concatenating unsanitized user input into XPath expressions, allowing attackers to inject XPath to bypass filters, access unintended DOM nodes, or disrupt web automation...

The State of Agentic AI: Disrupting Publishing and Reshaping Ecommerce

Learn how agentic AI is transforming how users and automation interact with the web — changing how people shop, search, and consume content...

CVE-2025-11844

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

EUVD-2025-35361

Hugging Face Smolagents XPath injection vulnerability in the searchitemctrlf function...

Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

GHSA-8MF9-RMGW-33QC Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

CVE-2025-11844

Hugging Face Smolagents 1.20.0 has an XPath injection in search_item_ctrl_f (vision_web_browser.py) where user input is concatenated into XPath queries without sanitization, allowing attackers to modify query logic, bypass filters, and access unintended DOM elements, potentially disrupting AI web...

XPath Injection in search_item_ctrl_f Function - Hugging Face Smolagents v1.20.0

The searchitemctrlf function in the Hugging Face Smolagents library is vulnerable to XPath injection. The function simply concatenates user input into an XPath query without sanitizing or escaping the input. Vulnerable Code Location: File: src/smolagents-1.20.0/smolagents/visionwebbrowser.py...

Malicious code in web_automation_golden (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2025-882 Malicious code in web_automation_golden (npm)

--- -= Per source details. Do not edit below this line.=-...

Nautobot 跨站脚本漏洞

Nautobot is a web automation platform by the individual developer of Nautobot. Nautobot suffers from a cross-site scripting vulnerability that stems from susceptibility to cross-site scripting attacks...

CVE-2023-34457

The CVE-2023-34457 affects MechanicalSoup prior to 1.3.0, where a malicious server could cause the client to upload local files via an HTML input type="file" in forms. Root cause: form submission logic uses the tag value to read a file path and attach it to the request, enabling unintended disclo...

Piwigo 11.3.0 SQL Injection

Exploit Title: SQL injection in language parameter to admin.php?page=languages.on Piwigo 11.3.0 Author: @nu11secur1ty Testing and Debugging: nu11secur1ty Date: 04.30.2021 Vendor: https://piwigo.org/ Link: https://github.com/Piwigo/Piwigo/releases/tag/11.3.0 CVE: CVE-2021-27973 + Exploit Source:...

SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)

Exploit Title: SEO Panel 4.8.0 - 'ordercol' Blind SQL Injection 2 Author: nu11secur1ty Testing and Debugging: nu11secur1ty Date: 04/25/2021 Vendor: https://www.seopanel.org/ Link: https://www.seopanel.org/spdownload/4.8.0 CVE: CVE-2021-28419 + Exploit Source: !/usr/bin/python3 Author: @nu11secur1...

htmly 2.8.0 Cross Site Scripting

Exploit Title: htmly 2.8.0 allows stored XSS Authors: @nu11secur1ty & G.Dzhankushev Date: 04.15.2021 Vendor: htmly Link: https://github.com/danpros/htmly CVE: CVE-2021-30637 + Exploit Source: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-26929 Exploit Program Code !/usr/bin/python3...

GitLab: Remote hacker can download all the files of master branch in public projects where everything is members only.

Summary Hi team, I found this weird behavior which I thought I should report, a malicious hacker can remotely download files of any branch in a public project where all permissions are ==member-only==, Gitlab uses a link to download files of a branch, normally ==an unauthenticated user will not b...

Phoenix Framework Redirection Vulnerability

Phoenix Framework is a set of resource management and testing as one of the Web automation testing framework . The framework supports unscripted execution , unattended execution and free customization and other execution modes . A redirection vulnerability exists in Phoenix Framework. An attacker...

Best Self Hosted Alternatives

Best Self Hosted Alternatives Analytics AWStats Generates web, streaming, ftp or mail server statistics graphically. Source Code GPLv3 Perl Countly Real time mobile & web analytics, crash reporting and push notifications platform. Source Code AGPLv3 Javascript Druid A distributed, column-oriented...